AP (The Netherlands) - z2018-02009: Difference between revisions
mNo edit summary |
(Additions to Facts, Dispute and Holding sections) |
||
Line 48: | Line 48: | ||
}} | }} | ||
The Dutch employer portal UWV, handling employee health data is fined 150,000€/month (until requirements are met) due to insufficiently secure access control to its portal. | |||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
to | The Dutch employer portal UWV, handling employee health data is investigated for use of single-factor authentication (email address and password) to grant access to the portal. | ||
===Dispute=== | ===Dispute=== | ||
Is single factor authentication sufficient given the sensitive nature of data stored on the portal? | |||
===Holding=== | ===Holding=== | ||
to | The Dutch Data Protection Authority considers the single-factor authentication insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. The portal is fined 150,000€/month up to 900,000€ until the portal implements sufficient access control. | ||
==Comment== | ==Comment== |
Revision as of 09:45, 3 April 2021
AP - Employee Insurance Agency (UWV) | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 31.07.2018 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Employee Insurance Agency (UWV) |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | AP (in NL) |
Initial Contributor: | GDPR MASTer Project |
The Dutch employer portal UWV, handling employee health data is fined 150,000€/month (until requirements are met) due to insufficiently secure access control to its portal.
English Summary
Facts
The Dutch employer portal UWV, handling employee health data is investigated for use of single-factor authentication (email address and password) to grant access to the portal.
Dispute
Is single factor authentication sufficient given the sensitive nature of data stored on the portal?
Holding
The Dutch Data Protection Authority considers the single-factor authentication insufficient given the nature of data (under article 32) and proposes multi-factor authentication as a safer alternative. The portal is fined 150,000€/month up to 900,000€ until the portal implements sufficient access control.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Authority Personal data P.O. Box 93374, 2509AJ The Hague Bezuidenhoutseweg 30,2594AV The Hague T0708888500-F0708888501 authoritypersonal data.nl Registered UWV Board of Directors P.O. Box 58285 1040HGAmsterdam Date July 31, 2018 Our reference z2018-02009 Contact [CONFIDENTIAL] 0708888500 Topic Cease and desist Resume 1. The Dutch Data Protection Authority (hereinafter: the AP) on 27 March 2017 on the basis of Article 60 of the Personal Data Protection Act (hereinafter: the Wbp), such as the time gold, an investigation is instituted to the use of multi-factor authentication in the employers' portal of the Implementing Institute Employers' insurance (hereinafter: the UWV). 2. The UWV processes in the employer portal, among other things, personal data relating to the healthofworkers find through multi-factor authentication. TheUWV follows this moment with one-factor authentication. providing access to the employer portal. 3. The AP has noted in the report definitive findings (hereinafter: the investigative report) that the UWV that acts contrary to Article 13 of the Wbp, such as that the time gold, on the basis of which, for insofar as this is important, a responsible person must take measures against personal data protect against loss or any form of unlawful processing. 4. The AP based on the compulsory decision in the research report, given by the UWV orally view on the intention of the AP to be subject to a burden to add and by it UWV at request of the AP provided information 5. On May 25, 2018, the General Data Protection Regulation (hereinafter: the GDPR) applies The AVG states in Article 32, first paragraph, the same obligation, as that gold on the basis of Article 13. Attachment (es) 2 1 Date Our reference July 31, 2018 z2018-02009 This violation continues, violates the UWV Article 32, first member, of the GDPR. 6.Wishes to connect the UWV to the system of Recognition to this way more factor authentication. when granting access to the employer's portal expect only to continue using the Recognition to be logged on the employer's portal since the first question by the AP by letter of 25 November 2015, meanwhile moved to November 1, 2019. 7. As a result of the above, the AP has decided to use Article 16, first paragraph, of the General Data Protection Regulation (hereinafter: UAVG) in conjunction with Article 5:32, first paragraph, of the General Administrative Law Act (hereinafter: the AWB) With the charge under penalty, the AP intends to insure that the detected violation an end is being made. 8. By 31 October 2019, the access to the employers' portal must be provided by an appropriate security levels are provided, where logging into the portal is only possible through one Appropriate form of multi-factor authentication. Part of the last is the UWV requirement confidence level must again determine by performing a risk analysis using the most recent version of the Guide "Reliability levels for digital services, a guidelines for government organizations "(version 4). 9. In the event of non-compliance with the grace period, your period is subject to a penalty of EUR 150,000 payable for each month that the load is not (fully) executed, with a maximum from EUR900.0000. Course of procedure 10. On August 29, 2017, the AP sent the study report to the UWV. The public version of the report was published on November 14, 2017 on the AP website. 11. By letter of August 15, 2017, the AP has now given some cause for the study to theUWV. questioned about the size of the employer portal. 12. By letter of August 30, 2017, theUWV has responded to the questions that the AP by letter of August 15. 2017. 13. By letter of 11 September 2017, theUWV has given its response to the research report. indicates, among other things, that the security level does not meet the requirements of article13oftheWbpanditwant toclarifytheimplementationoftheRecognitionlevel substantial. 2/12 Date Our reference July 31, 2018 z2018-02009 14. By letter of 9 November 2017, the UWV informed the AP about the progress of the implementation. vaneRecognition. 15. The AP has notified the UWV by letter of December 14, 2017 of its intention to charge a charge. subject to a penalty sumandtheUWFindisplaced orallyorwrittenher to bring opinions about it.UWVisinvitedfor a hearing. 16. The hearing took place on February 6, 2018. Annex 1 to this Decision is attached. 17. On the basis of what was discussed during the hearing, the UWV sent a letter of 28 February 2018 additional information data and additional documents provided, including the project plan eRecognition. 18. As a result of the information received by the letter of 28 February 2018, the AP has given to the UWV at letter of 15 March 2018 asked questions. 19. By letter of April 3, 2018, theUWV has responded to the questions of the AP of March 15, 2018 and here "Risk analysis absenteeism report" (hereinafter: the risk analysis). 20. Based on the information received by the letter of April 3, 2018, the AP has given to the UWV by letter. of May 14, 2018 asked questions. 21. By letter of May 25, 2018, theUWV has responded to the questions of the AP of May 14, 2018. Research report 22. In the research report, the AP found that the UWV in the employers' portal personal data about health. Access to the employer's portal is obtained by Entering an email address and password. This is a form of one-factor authentication. 23. From article 13 of the Wbp- now article 32, first paragraph, of the AVG- ensues that a responsibleappliesmeasures to protect personal data from loss or any form of unlawful processing. The term "appropriate" also means a proportionality Intermediatesecuritymeasuresthe nature oftheprotecteddata the personal data that is processed in the employer portal of the UWV, namely data about the health of employees, it should be given access to the portal via the internet, given the state of the art, places find means and at least multi-factor authentication. 24. The UWV has taken specified measures to allow unauthorized access to the employer portal, such as conducting annual penetration and security tests and continuous logging and monitoring of use. These measures are due to authentication not fit because they can provide an appropriate level of protection for gaining access 3/12 Date Our reference July 31, 2018 z2018-02009 to the application.Because theUWV does not apply more factor authentication, nor in any other way Appropriate measures has affected victims to obtain access to the data contained in the employers' portal, trade the UWV in conflict with article 13 of the Wbp, as it was gold at the time. Legal framework 25. The relevant legal framework is included as Annex 2 to this Decision. GDPR 26. In the investigation report, the AP has a violation of the standard from Article 13 of the Wbp As of May 25, 2018, AVG and UAVG of applications, the Wbp, has been withdrawn. 27. When assessing whether there is also a violation of the GDPR standard, it is important that the standard under the AVGmaterial does not change significantly with regard to the standard under the Wbp. The norm from Article 13 of the Wbpisthans laid down in Article 32, first and second part, of the AVG. The latter article states that the controller, taking into account the situation of the technique, implementation costs, as well as with nature, scope, context and processing purposes and the likelihood and severity of the risks to the rights and freedoms of persons, appropriate technical and organizational measures must be taken to suit the risk security level safeguards. This obligation is materially consistent with the obligation Article 13 of the Wbp. 28. This means that, since the investigated facts and the relevant circumstances arose of the research report until some of the things are not changed, as of May 25, 2018. violation of Article 32, first paragraph, of the GDPR. Viewpoint 29. As a result of the APS's intention to place a burden under penalty, the UWV has During the hearing of February 6, 2018 orally, I saw your way noteworthythatYourExpects thatthe employer's portal security is inadequate requirements arising from Article 13 of the Wbpentans Article 32, first member, of the AVG, because theUWV no more factor authentication applies to the granting of access to the portal. 30. The UWV has decided in April 2017 to start the implementation of the Recognition level 3 / Substantial, where multi-factor authentication is applied so that the violation of Article 13 The Wbpentansarticle32, first, oftheAVGis deleted. the confidence level, the fact that in the employer portal only health data are displayed who see the sick report or the fact that someone is pregnant. The nature of the sickness report is not processed. 4/12 Date Our reference July 31, 2018 z2018-02009 31. The UWV has advanced and explored other solutions but how to connect to it eRecognition of any real possibility to achieve more factor authentication. The arrival of the Digital Government Act (hereinafter: Wdo) is primarily the intention that all government parties make use of the means contained in this law. 32. In the implementation of the Recognition of the UWV, it depends in part on others and that the UWV is a number of problems, causing the implementation to wait longer than the UWV had hoped. Rating Assessment framework 33. In the research report, the AP noted that the UWV in the employer's portal processes personal data, including special personal data. data, citizen service number, financial data and data about disability, dismissed childbirth. Employers can log in via the internet to the portal and by e-mail address and password 1 It is a form of one-factor authentication. It is known that this situation has not changed. 34. Article 32, first paragraph, of the GDPR stipulates that the controller applies the technical and Organizational measures must be taken to protect personal data from loss or unlawful processing. These measures guarantee, taking into account the state of the technology and costs of food implementation, an appropriate security level eliminating the risks that processing the nature of the protection data bring to it. 35. This means that the controller, in the case of the UWV, must translate the risks for the data subject whose personal data are processed according to the reliability requirements against which the service offered (the employer portal) must satisfy that within the field information security if the most recent and representative interpretation thereof is seen. 36. In determining the risk of the data subject, the nature of the personal data among others Nature of processing of importance: these factors determine the potential damage for individual For example, loss, alteration, or illegal processing of data From the translationstroke to the confidence level of the employers portalcan use the UWV making the Guide "Reliability levels for digital services, a guide for government organizations, version 4 of the Forum Standardization (hereinafter: the Guide). 37. The use of this Guide is not mandatory, but provides an assessment framework for government organizations for determining reliability levels for digital services 1 Authenticate the process of verifying that a user who will log into an application / system is actually who he / she claims to be. 5/12 Date Our reference July 31, 2018 z2018-02009 of which it can be accepted that it reflects in so far as most recent insights and demands. Provide security standards then, after determining the application 2 confidence level, guidance in taking appropriate measures. 38. The AP has investigated whether the UWV has taken the appropriate measures regarding authentication. when logging into the employer's portal. theprotectingpersonal data, which translates to a minimum to handle The assessment in this decision, then, is based only on the nature of the issue protect personal data. Not excluded that other factors and nature of the personal data require a higher level of security. However, the AP cannot, as in the present case order will come, for or in the place of theUWVall –inHandReachVersion4included-relevant assessing factors. It is up to the UWV to include these factors in a risk analysis and thus Determine the correct security level. 3 Person's health data 39. In Article 4, section 15, of the GDPR, the following definition is given: "Health information. hispersonal data related to the physical or mental state of a natural person, including data about health services provided with which information is about health status is given. Under AV, remain unchanged that concept "Health data" should be understood: it does not include only the data that a doctor medical research or medical treatment, but all data that the spiritual or physical health of a person. reported a given about the health, even though it does not say anything about the nature of the condition. 4 In the employer portal, the following data are processed: the date entry sick leave, the date of termination sick leave, illness due to pregnancy, childbirth or organ donation, date of births and date of maternity leave. 40. In view of the nature of the personal data, the employer's portal entails half data concerning a person's health, which is considered a special category of personal data as referred to in Article 9, first paragraph, of the AVG is noted. Increased risk 41. In the Guidelines for the security of personal data, the AP has elaborated the requirements regarding security. The AP indicates that in certain categories of personal data, the consequences of loss or illegal processing can be serious.this are data with a higher or high risk. In any case, these categories cover special personal data. 2 See also CBP Guidelines, Security of personal data, February 2013 3 See with regard to the risk analysis of UWCrandnummer54andfurther of this decision. 4 Chamber documents II1997 / 98, 25892, No. 3, p. 102 6/12 Date Our reference July 31, 2018 z2018-02009 5 42. In addition, the AP uses the Guide version4. confidence levels based on the IDAS regulation for digital identifiers 6 trust services, which are in force from 1 July 2016 (hereinafter: the eIDAS regulation). The eIDAS regulation distinguishes three levels of trustworthiness of authentication tools: low, substanceandhigh.The Guideprovidesaclassificationmodelwithinhasimplified risk analysis of the digital service can be made. theprotectpersonaldata.In thisfourclassespersonaldata are distinguished: class 0, I (basic), II (increased risk) and III (high risk), where data with increased risk also has a higher security level requirements. 43. The AP ascertains that the data processed in the employer's portal, according to the Guide so-called class II personal data is because it concerns special personal data 7 class II data is an increased risk. Of a high risk, as in the so-called class III- data, see the nature of the data that are processed in the portal. Multi-factor authentication 44. Processing of Class II data is according to the Guide to Minimum Confidence Level 8 "Substantial" of application. Also when answering the question about this confidence levels appropriate measures are as referred to in Article 32, first paragraph, of the GDPR The Guide offers a framework: both for reliability level "substantial" and confidence level "high", if type authenticator, multi-factor authentication is required. 9 45. The requirement of multi-factor authentication when granting access to a system in which health data is processed, in addition, it is not complied with by security standards such as NEN-7510, which indicates the application of the Code for information security ISO / IEC 27002 in health care: 5 6 A guide for government organizations: Reliability levels for digital services, version 4, Forum Standardization Regulation (EU) No 910/2014 of the European Parliamentary Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market 7 A guide for government organizations, version 4, Forum for Standardization, p. 33 8 A guide for government organizations, version 4, Forum for Standardization, p. 29. based on all the criteria mentioned in the Guide version 4, results in a confidence level "high" instead of "substantial". You will have to make this assessment yourself, see also margin number 54 and further. 9 A guide for government organizations, version 4, Forum for Standardization, p. 24-25. Implementing Regulation 2015/1502 of the European Commission to adopt minimum technical specifications and procedures on the confidence level for electronic identifiers in accordance with Article 8 (3) of the Regulation (EU) No. 910/2014, on which the Guide is based. 7/12 Date Our reference July 31, 2018 z2018-02009 Health information systems that process personal health information, belonging to user identities determine this should be done by means of authentication in which at least the two factors are involved be. "0 46. As appropriate the measure referred to in Article 32, first paragraph, of the AVG must be access to the employer's portal to use multi-factor authentication. Access to the portal takes place through a form of one-factor authentication, trading theUWVin contrary to Article 32, first member, of the AVG.UWV has also recognized this. Offender 47. Notice theUWVis as an offender, because it is the controller in the sense of the AVG. The UWV establishes the purpose of the means for the processing of personal data: the The employer portal is a service of the UWV and is made available by the UWV employers, for which purposes of data processing are determined by the UWV. The UWV also has it in its power to end the violation. The solution from the UWV: eRecognition 48. By letter of January 25, 2016, the UWV has already addressed the violation of Article 32, first member, of the Wbp recognized. TheUWV indicated that they intend to be used for the employer's portal Make of Recognition, which feature provides for the use of multi-factor authentication in the providing access to the employer portal. 49. ERecognition is a system that companies provide electronic access to the government government facilities. Entrepreneurs or employees of an organization can go together login and easy identification at different organizations. Government organizations need do not develop their own authentication system, but can connect to the system The development of Recognition is a public-private partnership that is directed under the direction of the Ministries of Economic Affairs and Climate and Domestic Affairs and Kingdom Relations. ERecognition recognizes five different confidence levels. At these reliability levels is A connection sought to the three reliability levels that distinguish each IDAS regulation requirements that are imposed on the means by the regulation. The government organization determines it itself confidence level that is applied. 50. TheUWVhas indicated thattheintroductionofRecognitionbytheUWVshould be viewed in the light of the Wd is currently in preparation. can log in for Dutch citizens and companies with (semi-) government The Netherlands the EU directive on accessibility of government websites and apps. 1 Ahead of the 10 11 NEN-7510 (2017), p. 57 https://www.digitaleoverheid.nl/ilisi/identification-en-authenticatie/eid/wet-gdi/. 8/12 Date Our reference July 31, 2018 z2018-02009 Wdo has been developed by the government. eRecognition. 51. TheUWV has indicated the implementation of the Recognition to see any real solution. has explored possible between solutions, where multi-factor authentication with smsalst second factor The most feasible and safe alternative option was. as long as the implementation of the Recognitions is in addition the implementation of Delay recognition, because this must be done by the same team. be effective and proportionate in short on the map two drastic implementation pathways go through: This leads to textbook administration tasks for employers and ineffective use of public resources. Time course / planning 52. TheUWV has indicated that it was already in use in 2015 to connect to Recognition. However, the UWV is the availability of the RSIN (Legal Entities and Partnerships Information number) and the BSN for sole proprietorships in the system of Recognition necessary, because withoutthese numberstheUWVeRecognitioncan'tlinktohersystems. Expansion of the systemdepending on third parties and has set this expansion as a condition for the In April 2017, the UWV has concluded the implementation of Recognition. because of the moment view is linked from the RSIN to the Recognition (87.7% of the Users of the Employer Portal is identified by RSIN). has theUWVindicatedconnection toRecognitiontoexpectationrealized inMay2018 In November 2017, around theUWV, the preliminary research.In February 2018, theUWV has projectplane Recognition Employer Portal determined upon request from the AP the AP do. 53. According to this project plan, the UWV will take place on November 1, 2018 as the implementation date, followed by a rollout period of one year that users can switch from the portal. has indicated the UWV now assumes implementation in the fourth quarter of 2018. The BSN is also expected to be added to the system in the second half of 2018. The same implementation date applies with rollout period. There is also no group of users (0.7%) who are not Can make use of Recognitions for which no solution is available yet. TheUWV has indicated that if no solution is available, this group cannot use any more by 1 November 2019 makingthe employer portal. Confidence level; application Guide version 4 54. In 2015, the US has made the hand of the available Guide of Forum standardization, 12 version 3 performed a risk analysis. This version of the guide is based on European 12A guide for government organizations: assurance levels for authentication at electronic government services, version 3, Forum Standardization 9/12 Date Our reference July 31, 2018 z2018-02009 STORFramework.This risk analysis showed that levelSTORK3 is appropriate. The UWV has carried out the AP for this risk analysis upon request by letter of 3 April 2018. 55. In November 2016, version 4 of the Guide appeared. This version is no longer based on the STORK framework but, as previously shown, on the IDAS regulation. However, there is no reason to keep the risk analysis of 2015 against the light again The newest version of the Guide. Risk analysis of 2015 UWV's hot IDAS system has taken into account as proposed legislation. Therefore, the new version of the Guide has not given any reason for a new one perform risk analysis ". 56. According to the project plane Recognition Employers Portal, the UWV has chosen to connect eRecognition level3 This corresponds to the IDAS level substantial. 57. The AP establishes that the risk analysis of the UWV from 2015 is based on version 3 of the Guide. The norm from article 32, first paragraph, of the AVG, and previously article 13 of the Wbp, write before the (processing) responsible for taking appropriate technical and organizational measures in order to ensure appropriate security level, including taking into account the situation It is decided, among other things, that a risk assessment has already been carried out from time to time again. must be updated using the currently valid standards. on the way of the UWV, because the risk analysis is carried out again in 2015 The most recent version of the Guide. at the end of the implementation period of, in this case, eRecognition, it is possible that there is no appropriate security level. 58. Although the reliability level of Stork3 corresponds to version3 of the Guide. IDAS Confidence Levels Substantial version 4 of the Guide, how to use both versions of the Guide to various assessment frameworks. possible until the outcome that a higher confidence level should be assumed from the UWV up to now based on version 3 of the Guide. choice of measures to be taken according to the appropriate security level guarantees. The APcannotfororintoplaceoftheUWValloutHandoverVersion4relevant factors. Constrained and favored term 59. From article 16, first member, of the UAVG, in conjunction with article 5:32, first member, of the AWB follows that the AP is authorized to impose a charge under a penalty if in violation of Article 32, first paragraph the AVG. Pursuant to Article 5: 2, first paragraph, bottom b, of the AWB, the cabinet is aimed at the end of the violations detected the occurrence of recurrence. 10/12 Date Our reference July 31, 2018 z2018-02009 60. The AP orders the US within the time limit for favoring the decision to take the violation of Article 32, first member, of the AVG. measures must be taken to ensure an appropriate security level with regard to the relationship of access to the employer's portal, where logging in is only possible by means of a suitable form of multi-factor authentication (for example, by using Recognition). of the confidence level for the employer portal has used a meanwhile outdated version of the Guide, the UWV should update the confidence level determine by performing a risk analysis using version 4 of the Guide. 61. Section 5: 32a, subsection 2, of the AWB provides that a grace period is to be set during which the offender can execute without forfeiture of a penalty. "Term During which a charge can be carried out without forfeiture of a penalty, it must be short The time limit should be long enough to be able to carry out the load. 62. Having regard to the foregoing decision, the AP that the YOUR V must appear at the end of October 31, 2019. The AP has taken into account the planning when determining the term of favor of the UWV regarding the implementation of the Recognitions of the said roll-out period one year after implementation on November 1, 2018. 63. Article 5: 32b, third paragraph, of theAwb prescribes that the penalty amounts are in reasonable proportion. to the severity of the violated interest to the intended effect of the penalty. It is important that a compulsion must execute such an incentive that the burden is met. 64. If the UWV does not end the detected violation within the beneficiary period, it forfeits the The AP fixes the amount of this penalty sum at € 150,000 for each month that the load has not been (fully) carried out up to a maximum of € 900,000. height of these amounts in reasonable proportion to the gravity of the violation by the violation importance - the protection of special personal data and of the personal sphere of life those involved –and they are also sufficiently high to end your moving violation. This includes the AP cost that is associated with the implementation of Recognition, as well as the structurally additional costs per year. 65. The APRequestheUWSimplybefore1October2018the re-performed risk analysisin whichtheUWV to the employer portal, to send a reliability level award. that the AP is authorized to conduct a study, including an on-site study, if it does useful. 11/12 Date Our reference July 31, 2018 z2018-02009 Operative part TheA imposes a charge on the UWV, for violation of Article 32, first paragraph, of the GDPR. penalty with the following content: -TheUWVshould provide access to the employer's portal by 31 October 2019 at the latest. Appropriate security level provided, whereby logging in from that moment is only possible by means of a appropriate form of multi-factor authentication. confidence level to redetermine by performing a risk analysis using version 4 of the Guide. -The UWV forfeits a penalty of € 150,000 after expiry of this term (in words: one hundred and fifty thousand euros) for each month that the load is not (fully) carried out to a maximum of € 900,000 (in words: nine hundred thousand euros). The Authority Personal data, On their behalf, Signed Mr. A. Wolfsen Chairman If you do not agree with this decision, you can send it within six weeks a decision to submit an objection to the Personal Data Authority, PO Box 93374, 2509AJDenHaag, stating “Awb objection” on the envelope. 12/12